Can we really trust cloud computing? Or perhaps more importantly do you trust the cloud? And does the perceived lack of transparency, combined with recent negative headlines, impact future investments...

Give me a break! In the next month, students will get the week off for spring break—a much needed reward after months of hard work and, for some, gnarly winter weather. Spring break means free time,...

The Internet of Things (IoT) is upon us and it is not only moving into our homes through our networks and refrigerators, it is also moving into our bodies through networked medical devices. Wearable, temporarily...

Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.
This kind of malware,...

Networked Healthcare and the Internet of Things: Rewards versus Risks

‘Banking’ Malware Dridex Arrives via Phishing Email

A ShmooCon Preview

It’s always tough to get a ticket for Washington D.C.’s ShmooCon hacker conference. Just over 1,200 tickets were available in three rounds of ticket sales for the January 28-30 event. It’s a sign of the conference’s popularity that each round sold out in under 10 seconds. At about a third of the size of a larger conference like Black Hat, it’s much easier to talk to the speakers without fighting with a crowd. Past years have had good presentations on mobile phone security and this year is no exception.

Starting off the batch is a presentation on Android security by researchers Jon Oberheide and Zach Lanier. They’ve previously had success with social-engineering users into downloading malicious proof of concept (PoC) apps. Their last app pretended to be an update for the Android version of the Angry Birds game. The timing was fortunate as it was after the release of the game, but before the official game update. Instead of offering new levels of bird launching fun, the app exploited a security flaw that allowed it to download additional malicious programs without the user’s permission. The talk promises similar fun with the OS and an extension to third-party apps.

Anti-malware researchers Axelle Apvrille and Kyle Yang will do a detailed teardown of Symbos/Zitmo.A. Zitmo.A was the mobile phone spyware used by the criminals behind the Zeus botnet to steal mTANs/TACs (Mobile Transaction Authorization Numbers/Codes). Your bank will send an mTAN to your mobile phone by SMS. An attacker would need to steal both your banking login and password (using the Zeus Trojan) and the SMS containing the currently active mTAN (with SymbOS/Zitmo.A or other spyware). The researchers will show how it works and a bit of how it may have been designed by the malware authors.

Recent threats like Android/Geinimi.A have generated a lot of interest in Android reverse engineering. Security Researcher Scott Dunlop’s talk will cover methods using the Android SDK and emulator and other open-source tools for tearing apart, instrumenting, and modifying Android apps. The talk will include a practical example showcasing the reverse-engineering process on a mobile antivirus app. Dunlop will go over how it updates its signatures, how its SMS scanning functions, and the security of its network communication–essentially a case study on how not to write security software.

Mobile phones aren’t the only things under attack; the mobile networks are also at risk. Although attacks against GSM networks are becoming common and easier to perform, attacks against new 3G and 4G networks are still rare or unknown. Researchers Enno Rey and Daniel Mende will attempt to change that with their presentation on the security architecture of new mobile networks. The researchers will provide tales from their experience in testing real-world networks, and not just discuss theoretical attacks.

This year there are nearly twice as many smartphone-related talks as at last year’s Shmoocon. It looks like the start of an interesting year in smartphone and mobile threat research.